Questions tagged [authentication]

the process of establishing the authenticity of a person or other entity. Not to be confused with authorization - defining access rights to resources.

Authentication: establishing the authenticity of a person or other entity. Abbreviated "authn". Not to be confused with defining access rights to resources, which is the topic of authorization (authz)

See more at http://en.wikipedia.org/wiki/Authentication

An update on the state of the art and a research agenda is in the IEEE Security and Privacy Magazine special issue for January/February 2012: Authentication—Are We Doing Well Enough?

4356 questions

618

votes

23 answers

How does changing your password every 90 days increase security?

Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability or attack that this is designed to counter, or are…

authentication passwords password-management

asked Jun 22 '11 at 13:36

Bill the Lizard

6,731
4
19
28

554

votes

3 answers

Why can I log in to my Facebook account with a misspelled email/password?

I've been playing around with different login forms online lately to see how they work. One of them was the Facebook login form. When I logged out of my account my email and password were autocompleted by my browser. Then I decided to misspell my…

authentication account-security facebook

asked Aug 06 '19 at 21:26

aMJay

3,615
5
11
20

500

votes

8 answers

RSA vs. DSA for SSH authentication keys

When generating SSH authentication keys on a Unix/Linux system with ssh-keygen, you're given the choice of creating a RSA or DSA key pair (using -t type). What is the difference between RSA and DSA keys? What would lead someone to choose one over…

encryption cryptography authentication key-management ssh

asked Jul 08 '11 at 23:22

jrdioko

13,011
7
29
38

407

votes

10 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?

tls authentication web-application http http-basic-auth

asked Dec 05 '10 at 22:42

Morten

4,223
3
14
7

400

votes

5 answers

Why is 'Bearer' required before the token in 'Authorization' header in a HTTP request?

What exactly is the difference between following two headers: Authorization : Bearer cn389ncoiwuencr vs Authorization : cn389ncoiwuencr All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer'…

authentication http authorization token

asked Dec 21 '15 at 07:20

Anmol Gupta

4,101
2
9
5

295

votes

7 answers

What's the rationale behind Ctrl-Alt-Del for login

Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I'm wrong) before the password can be typed in? From a usability point of view, it's a bad idea as it's adding an extra step in…

authentication windows password-management

asked Apr 28 '13 at 13:10

Count Zero

2,879
3
16
14

262

votes

4 answers

How does Google Authenticator work?

Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android where the codes will be sent. It works without any connectivity; it even works on plane mode. This is what I don't get. How is it possible that it…

authentication passwords cryptography google one-time-password

asked May 01 '13 at 15:24

The Illusive Man

10,487
16
56
88

247

votes

18 answers

Passwords being sent in clear text due to users' mistake in typing it in the username field

Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing their passwords in the username field, either in…

passwords authentication logging siem

asked Mar 05 '13 at 16:09

Lex

4,247
4
19
27

241

votes

4 answers

What is the difference between authorized_keys and known_hosts file for SSH?

I am learning the basics of SSH protocol. I am confused between the contents of the following 2 files: ~/.ssh/authorized_keys: Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the…

authentication linux ssh

asked Sep 26 '12 at 12:03

Ankit

2,623
4
15
9

236

votes

3 answers

Why did I have to wave my hand in front of my ID card?

I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person…

authentication security-theater

asked Aug 13 '18 at 09:31

Tom K.

7,913
3
30
53

223

votes

13 answers

Is there any reason to not show users incorrectly entered passwords after a successful login?

Our client has come up with the requirement that in case the username in question has had multiple failed login attempts, the incorrectly entered password(s) must be shown once a successful login is performed. Correctly entered information,…

authentication passwords

asked Sep 09 '16 at 18:35

RaunakS

2,043
2
9
10

209

votes

4 answers

Is a rand from /dev/urandom secure for a login key?

Lets say I want to create a cookie for a user. Would simply generating a 1024 bit string by using /dev/urandom, and checking if it already exists (looping until I get a unique one) suffice? Should I be generating the key based on something else? Is…

cryptography web-application authentication linux random

asked May 18 '11 at 19:47

Incognito

5,204
5
27
31

191

votes

4 answers

Is Plaid, a service which collects user’s banking login information, safe to use?

I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. Then, Plaid accesses the…

authentication banks

asked Nov 19 '18 at 18:03

gfrung4

2,489
3
7
8

169

votes

7 answers

Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

I am very confused the difficult jargon available in web about OAUTH, OpenID and OPENID Connect. Can anyone tell me the difference in simple words.

authentication oauth authorization openid openid-connect

asked Oct 29 '13 at 13:31

user960567

2,461
4
16
16

165

votes

8 answers

Why is Mother’s Maiden Name still used as a security question?

From time to time, some web sites asks to enter a security question and an answer for it. The question list is standard and it usually includes "What is your mother's maiden name?". Some people use their mother's real maiden name so that they are…

authentication secret-questions

asked May 16 '18 at 14:19

Alexei

2,183
3
9
23

2 3

…

99 100 Next